ebook img

Smartphone App Security PDF

102 Pages·2017·2.8 MB·English
by  ZhangLinxi
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Smartphone App Security

Smartphone App Security: Vulnerabilities and Implementations by Linxi Zhang A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science (Computer and Information Science) in the University of Michigan-Dearborn 2018 Master’s Thesis Committee: Associate Professor Di Ma, Chair Associate Professor Jinhua Guo Associate Professor Shengquan Wang Dedication Every challenging work not only need self-motivation but also the guidance of elders especially those who are very close to my heart. I would like to dedicate my humble effort to my sweet and loving parents who support over the years to help me finish this dissertation. ii Acknowledgements I would like to take this opportunity to thank my advisor Dr. Di Ma for her invaluable guidance, consistent support, and encouragement. I thank her for not only the professional research training but also teaching me every essential, including ethics, rules, and principals to be knowledgeable and scientific in my future life and research. I would also like to thank the members of my master committee, Dr. Di Ma, Dr. Jinhua Guo and Dr. Shengquan Wang. Furthermore, I thank all a team member in UM-Dearborn CIS department—SAFE lab. I appreciate the time and opportunities for brainstorming and discussions with the most talented co- workers, Haoyu Li, JiaFa Liu, Huaxin Li, Shuang Yu, etc. I would also like to thank Xing Jin, who implemented HTML5 experiments and kindly gave me suggestions and discussions about my research problems and exchange ideas. And I appreciate UM-Dearborn CIS students, Brandon Falk, Shuang Yu, etc. They took their precious time to take my lab experiment surveys and give me a lot of feedbacks and improvement inputs. Finally, I would like to thank my husband, Xuke Yan. Without his company and support over the years and encouragement for continuing my research work, I could not complete my master thesis that fast and precise. iii Table of Contents Dedication ....................................................................................................................................... ii Acknowledgements ........................................................................................................................ iii List of Tables ................................................................................................................................ vii List of Figures .............................................................................................................................. viii List of Appendices .......................................................................................................................... x Abstract ......................................................................................................................................... xii Chapter 1 Introduction .................................................................................................................... 1 Chapter 2 SSL Implementation Vulnerability ................................................................................ 4 2.1 Overview ........................................................................................................................... 4 2.2 Background........................................................................................................................ 5 2.2.1 Android and Secure Socket Layer ..................................................................................... 5 2.2.2 HTTP and HTTPS ........................................................................................................... 10 2.2.3 Man-in-the-Middle Attack............................................................................................... 12 2.3 Validation Experiment Design ........................................................................................ 13 2.3.1 Motivation ....................................................................................................................... 13 iv 2.3.2 Lab Design....................................................................................................................... 14 2.3.3 Tools for the Experiment ................................................................................................. 15 2.3.4 Experiment Implementation ............................................................................................ 18 Chapter 3 WebView Attacks ........................................................................................................ 23 3.1 Overview ......................................................................................................................... 23 3.2 Background...................................................................................................................... 23 3.2.1 WebView ......................................................................................................................... 24 3.2.2 Trusted Computing Base and Sandbox Protection .......................................................... 24 3.2.3 Two Type of Attacks ....................................................................................................... 25 3.2.4 JavaScript Injection Attack .............................................................................................. 28 3.3 Validation Experiments Design ....................................................................................... 28 3.3.1 Motivation ....................................................................................................................... 28 3.3.2 Lab Design....................................................................................................................... 29 3.3.3 Tools for the experiment ................................................................................................. 30 3.3.4 Experiment Implementation ............................................................................................ 31 Chapter 4 HTML5-Based Application.......................................................................................... 35 4.1 Overview ......................................................................................................................... 35 4.2 Background...................................................................................................................... 36 v 4.2.1 HTML5 and Hybrid App ................................................................................................. 36 4.2.2 PhoneGap ........................................................................................................................ 39 4.2.3 The Code Injection Attack............................................................................................... 41 4.3 Validation Experiment Design ........................................................................................ 45 4.3.1 Motivation ....................................................................................................................... 45 4.3.2 Lab Design....................................................................................................................... 46 4.3.3 Tools for the experiment ................................................................................................. 46 4.3.4 Experiment Implementation ............................................................................................ 47 Chapter 5 Conclusion and future work ......................................................................................... 50 Reference ...................................................................................................................................... 52 vi Lists of Tables Table 2-1 Configuration of Lab Tools .......................................................................................... 16 Table 3-1 Configuration of Lab Tools .......................................................................................... 30 Table 4-1 Configuration of Lab Tools .......................................................................................... 47 vii Lists of Figures Figure 1 2016-2017 Worldwide Smartphone OS Market Sharing from IDC [32] ......................... 6 Figure 2 SSL Handshake [2] ........................................................................................................... 7 Figure 3 Generation/Verification of Digital Signature ................................................................... 9 Figure 4 HTTP vs HTTPS ............................................................................................................ 11 Figure 5 Man-in-the-middle Attack .............................................................................................. 12 Figure 6 Man-in-the-middle Attack-2 ........................................................................................... 13 Figure 7 Lab Architecture ............................................................................................................. 15 Figure 8 Process of Explicit HTTP ............................................................................................... 17 Figure 9 Lubuntu Platform Setting ............................................................................................... 18 Figure 10 Setting up Proxy-1 ........................................................................................................ 19 Figure 11 Setting up Proxy-2 ........................................................................................................ 19 Figure 12 Setting up Proxy-3 ........................................................................................................ 20 Figure 13 Android Emulator ......................................................................................................... 21 viii Figure 14 Account and Password Caught by mitmproxy ............................................................. 22 Figure 15 Java-to-JavaScript Attack ............................................................................................. 27 Figure 16 JavaScript-to-Java Attack ............................................................................................. 28 Figure 17 JavaScript Injection Attack........................................................................................... 30 Figure 18 Interface of the Malicious App ..................................................................................... 32 Figure 19 Filling in User’s Information ........................................................................................ 33 Figure 20 User’s Information Caught by Attacker ....................................................................... 34 Figure 21 Naive App ..................................................................................................................... 38 Figure 22 Web App ....................................................................................................................... 38 Figure 23 Naive App ..................................................................................................................... 39 Figure 24 The Usage of PhoneGap ............................................................................................... 40 Figure 25 Structure of PhoneGap ................................................................................................. 41 Figure 26 XSS attack and Code Injection Attack ......................................................................... 43 Figure 27 Code Injection Attack for HTML5-based App ............................................................ 46 Figure 28 MP3 File Properties ...................................................................................................... 48 ix Figure 29 Example Contact Information ...................................................................................... 48 Figure 31 Example MP3 Player Interface ..................................................................................... 49 Figure 30 Attack Result ................................................................................................................ 49 x

Description:
For example, various kinds of applications are downloaded and installed on . By adding the SSL technology to HTTP, a “secure” version of HTTP is created. Exploit Tutorial https://cyberarms.wordpress.com/2014/02/26/android- [39] PhoneGap Tutorial, https://www.tutorialspoint.com/phonegap/.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.